DARIAH FIM experiences and plans · • DARIAH Intro • Current AAI set-up • Authorization •...
Transcript of DARIAH FIM experiences and plans · • DARIAH Intro • Current AAI set-up • Authorization •...
de.dariah.eu
DARIAH FIM experiences and plans
4th Federated Identity Management Workshop, Nijmegen, 21.-22.06.2012
Peter Gietz, DAASI International GmbH
20 June 2012 2
Agenda
• DARIAH Intro• Current AAI set-up• Authorization• Web Services Integration• Current research
BTW: DAASI International GmbH is: – a small company specialized in Open Source
based (Federated) Identity Management– leads and performs the AAI activities in DARIAH
20 June 2012 3
DARIAH-EU
• DARIAH: Digital Research Infrastructure for the Arts and Humanities
• One of the few ESFRI projects for the humanties• Planing phase as EU funden project• In the current construction phase most of the work is
done in national projects
20 June 2012 4
Basic Structure of DARIAH
VCC 1e-Infrastructure
VCC 3Scholarly Content
Management
VCC 2Research and
Education
VCC 4Advocacy
20 June 2012 5
VCC1 e-Infrastructure [Germany / Austria]… to establish a shared technology platform for A+H
researchVCC2 Research and Education [Ireland / Denmark]
… to expose and share researcher's knowledge, methodologies and expertise
VCC3 Scholarly Content Management [France / Netherlands]... to expose and share scholarly content
VCC4 Advocacy, Outreach, and Impact [currently @DCO]... to interface with key influencers in/for A+H
e-Infrastr.VCC
Research &
EducationVCC
ScholarlyContent
VCC
Virtual Competency Centres
AdvocacyVCC
20 June 2012 6
Forschung und Lehre
Forschungs-datene-Infrastruktur
Advocacy
VCC e-Infrastructure
VCC Advocacy VCC Researchand Education
VCC Scholarly Content
Management
Liaison education
et recherche
e-infrastructure
Promotionet diffusion
Research and
Education
Scholarly Content
Management
Research and
Education
ScholarlyContent
Management
e-Infra-structure
AdvocacyResearch
and Education
ScholarlyContent
Management
e-Infra-structure
Advocacy
DARIAH-FR
DARIAH-IE
… weitere Länder DARIAH-nn …
DARIAH-EU
Forschungund Lehre
Forschungs-daten
e-Infra-struktur
Advocacy
DARIAH-AT
Managementdes
contenus
Advocacy
e-Infrastructure
20 June 2012 7
• 17 Partner• 7 Universities• 4 Computing centers• 1 Bibliothek• 1 Academie of Science• 1 commercial Partner• 3 Research institutes
DARIAH-DE Consortium
20 June 2012 8
AAI
VCC1 e-Infrastructure
Hardware
VM Hosting
Service Hosting
BitstreamPreservation
SoftwareInteroperability
ProvenanceConceptIssue Tracking
Version Control Archive-in-a-Box
Facetted Search
Reference Dataand Services
ContinuousIntegration
Wiki / WebDAV
SchemaRegistry
CollectionRegistry
Guidelines
Responsibilitiesand Contacts
PID
20 June 2012 9
Current AAI set-up
A first version of an AA infrastructure (AAI) has been deployed, based on two standards:• LDAP
– for authentication and authorization attributes – deploying Open Source Software OpenLDAP
• SAML – for AAI within a federation – including Web Single Sign-On feature– deploying Open Source Software Shibboleth
20 June 2012 10
Current AAI set-up
• OpenLDAP provider server – Web-based password reset tool– Web-based administration tool, including group
management– LDAP-based Applications like Jira can use it as
authentication and authorization server• OpenLDAP replica server
– contains all data of the OpenLDAP provider– a Shibboleth Identity provider is connected to it– DARIAH Services are being „shibbolized“
20 June 2012 11
Current AAI set-up
20 June 2012 12
Authorization
• Options:1.store authZ info decentralized in campus IDMs,
and do authZ locally in the SP / application based on that attributes
2.store authZ info centrally and let application call-out to a central PDP
3.a mixture: store authZ info centrally but let SP / application decide upon access
• DARIAH: Keep it simple and first go with 3), perhaps later with 2), leveraging the openRBAC system from the TextGrid project.
20 June 2012 13
Authorization
20 June 2012 14
Authorization
• No change to campus IdPs• Standard Shibboleth SP to protect applications, however
with special configuration:– aggregates attributes from campus IdP and
DARIAH IdP– require miminum set of attributes, otherwise
redirect to registration application at DARIAH SP
20 June 2012 15
Authorization
• DARIAH LDAP with authZ groups managed by admin portal
• DARIAH IdP gets data from DARIAH LDAP and releases both user attributes and entitlements (based on groups) to SPs
• Central Registration SP writes manually completed user attributes to central LDAP
20 June 2012 16
External PDP in TextGrid
OpenRBACArchitecture
20 June 2012 17
External PDP in TextGrid
20 June 2012 18
Shibboleth and SLCs
20 June 2012 19
WebSSO vs. ECP
20 June 2012 20
Web Service integration• Easy to build basic single-tier profile with Shibboleth
– Actors are: subject/client, IdP and SP– This basic use case needs a special ECP client, but
no modifications for current IdPs and SPs• However, multi-tier delegation (e.g. portal → service) is
much more difficult with Shibboleth:– Actors: subject/client, IdP, portal SP, service SP, ...– More profiles than just ECP– Special IdP extension to be compiled and configured– Extra configuration at each IdP for which portal may
access which service
20 June 2012 21
ECP Adoption
• ECP Binding in SAML2 Metadata: SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
• DARIAH IdP is/was the only IdP in the DFN-AAI that advertizes ECP binding
– could be because DFN-AAI directory did not support that profile until recently
– Within a federal State in Germany, ECP is currently being evaluated for production use
• Substantial amount of IdPs support it in principal (included since Shibboleth IdP v2.3)
20 June 2012 22
ECP Adoption
• Our survey of the federation metadata of all the European SAML-based federations mentioned as members of eduGain found only advertize ECP binding of:
– DFN-AAI– two IdPs in the UK
20 June 2012 23
OAuth2
• Simpler implementation for clients, pure HTTP(S) and JSON• Authorization Server could be shared for multiple resource
servers → presumably less implementation effort on the resource side
• Allows for delegation• SAML IdPs can be connected via SAML Bearer Token• Access and Refresh Token instead of login/password• Natively uses OpenID Connect for AuthN (and other
mechanisms possible, instead of SAML, if needed)• pushed by the industry, so probably better bet in the future?
20 June 2012 24
Thanks for your Attention!
• Questions?
• DARIAH– www.dariah.eu
• TextGrid– www.textgrid.de
• DAASI International– www.daasi.de– [email protected]